From owner-freebsd-ports@FreeBSD.ORG Mon Sep 1 12:53:38 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A9A016A4BF for ; Mon, 1 Sep 2003 12:53:38 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38A9F43FE1 for ; Mon, 1 Sep 2003 12:53:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA11503 for ; Mon, 1 Sep 2003 13:53:29 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030901135222.02a19f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Sep 2003 13:53:19 -0600 To: ports@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Problems with ports, packages, and security X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2003 19:53:38 -0000 [Note: It was suggested that I copy this message to -ports due to possible interest on this list. -BG] At 12:37 PM 8/31/2003, Colin Percival wrote: > In short, provided that you haven't rebuilt the world locally, if FreeBSD Update reports "No updates available", your system is definitely up to date. That's good to know, though it didn't solve the other problems I mentioned. Or a couple I just encountered. First, when I built cvsupdate as a port, I found that the commands "make clean" and "make distclean" removed the detritus left behind by creating cvsupdate itself, but did not nuke the junk that was left behind as the system built other ports on which that one depended. Going around and deleting everything manually (there was no automatic mechanism) was a chore. Then came another zinger. One of the people who will be using the system wants KDE on it. (Not my choice, since it's GPLed, but he's the client.) So, after rebuilding cvsupdate as a port, I went to /stand/sysinstall to install KDE. Two problems here. First was that KDE was installed as a binary package... an OUT-OF-DATE binary package built with the buggy libraries. Second, the install failed. The reason appears to be a conflict between ports and packages. As mentioned above, /stand/sysinstall tried to install KDE as a binary package. (Not a bad idea at all in and of itself, but bringing with it the aforementioned security risks.) Worse still, when the package system tried to install some other packages as dependencies for KDE, it hit a few libraries which had been built as ports when I installed cvsup. The installation stopped with an error. In short, we really have a tangled mess here. Under the current way of doing things, you can't remain updated and secure without using ports -- which is bad because of the time, effort, and disk demands inherent in rebuilding them. What's more, if you do use ports, it messes up your ability to use packages -- even out of /stand/sysinstall -- and leaves junk behind on your disk. Again, what a mess. The only way to avoid it, again, is to make binary packages "first class citizens." And also to resolve the conflicts between them and the use of ports. It's amazing that after installing exactly one port, I couldn't install a package from /stand/sysinstall. --Brett